We are talking about NFC, NFC, Near Field Communication, and about MIFARE ultralight system.
NFC ultralight chips are used for communication, near field communication,
and in our country they have been used especially for the transportation system like buses, metros, trams.
And in the past, there has been some people who discovered some, they hacked the system of the communication between those chips.
And so in 2008, the MIFARE Classic, which is a type of NFC chip, they managed to exploit the MIFARE Classic.
While in 2011, two American guys managed to exploit an NFC ultralight.
Which is the one I will be speaking about, NFC ultralight.
In my country, so in Italy, it has been used for transportation system.
So if you take a bus, you will take a ticket, a multiple ride ticket, which has a chip and NFC MIFARE ultralight inside.
And so, what is it?
FID chip are designed to work...
to work at a target frequency, 13.56 megahertz frequency.
And there are a lot of kinds, as I told you before.
There is a MIFARE Classic, ultralight, a lot of types.
And the ultralight is cheap.
But it has a problem.
It is not, it has no hardware encryption.
So, how we came to this hack?
Well, we started studying NFC communication,
NFC chips, when from January, the local transportation system in Turin updated their stamping machines.
And so, it was possible to use those tickets to ride the bus or metro or what else.
And we tried to exploit the same vulnerability they discovered in 2011.
The one I was telling you something before.
And the point is that we didn't know anything about the structure of this ticket.
And so, we tried with that vulnerability, but we failed.
And that was the point. We failed.
We tried to...
And so, you know, if you don't know what are you dealing with, it is...
Let's say it is tricky to solve it.
So, we decided to study better those kind of technology.
And so, we discovered that...
We tried to make some little experiments, make experience.
And so, we decided to stamp one ticket after the other.
And comparing the results, we had an NFC reader.
And we read the dumps of those tickets.
And we were comparing them to find if there were some similarities, something similar,
to compare it and to find, for example,
how was the data saved on the ticket.
And so, we managed to plot down some empiric results of this.
But this is the point where I was getting you...
Assume that you know where exactly the time of the last stamp of your ticket is being stored.
Now, if you have an NFC phone with an NFC reader and writer,
you can actually change the field where the time of your last stamp is stored.
And so that in this way, you can easily bypass the system of stamping, the stamping machine,
and you can stamp by yourself your ticket.
And this is where we wanted to get the point we were looking for.
But the problem is that it is not so reliable.
And that kind of thing, you have an NFC reader and a lot of things to deal with.
So it was not the point.
And if you want to add something about that.
The point is that we managed to solve our problem.
Because when we looked more in...
We paid more attention about how the ticket was made.
And we, let's say, we came to a solution.
And we found that the answer to hack those tickets and find a way to make them unlimited
was in the log bytes.
The log bytes are a sector of that ticket.
And he will speak about that now.
Okay.
This is the ticket of my city.
The five rights ticket.
So you can stamp it.
Until five times.
And then it expires.
Theoretically.
This is how it's composed.
We will look at log bytes and OTP data.
Okay.
OTP is the only security function in the tickets.
There are four bytes.
And by default, they are all set to zero.
When you stamp the ticket, there is an operation that turns one bit to one.
And so you can turn it back to zero.
So that's the only way you can stamp the ticket without any fraud or something like
that, theoretically.
So there is 36 possible rights on each ticket.
And we will speak about later.
The data sector...
It will be funny now.
No, I saw one of your slides coming in.
It's not going to be funny.
We have decided to brand this.
You've heard of Spot the Fed.
This has now shot the noob.
.
No, we have not.
.
I trust him.
.
He is of legal drinking age in Italy.
.
And this stage is actually technically part of Italy.
.
Oh, wait.
I'm sorry.
Audience, raise your hand if it's your first time.
You, sir.
Get up here.
.
On stage.
Somehow.
.
I can get on.
I don't know if I'll be able to walk.
.
There are steps on the other side.
All right.
To all the new people at DEF CON.
.
Cheers.
.
.
.
.
.
.
.
.
.
Who took my bag?
It is here.
.
.
.
Is that OK?
Where was I?
I don't remember.
.
.
Okay.
.
That was strong.
.
.
The data sector was used in the last attack.
.
attack for store the rights. But this sector is readable and writable so you can just swipe
it and get a free, a new ticket. But in our they fix it and so in Taryn doesn't work anymore.
So we thought about just decode the time stamp from the machine and reproduce it without
touching the OTP sector. So the rights remain the same, but we can stamp it by ourselves.
But we are not getting the point because we lack of NFC hardware. So we are poor, yeah.
If you want some dumps of our ticket, we will give you at the Q&A session. No problem. Okay.
These are some empirical results. We can speak more about that.
More later. Just doesn't matter. Okay. The lock sector. This is the most important part
of our talk because that's the point where we found the solution. There are two bytes.
The first one is the red one and the second one is the orange. Okay. Each bit of these
bytes can lock a sector and make it read-only. Okay. So we what we did is just lock the
bit or in lock bit sector that make read-only the OTP data. So the machine tried to validate
it but it read-only and I cannot. So that's we when we first made our test on the road,
we found a little problem because it's not good by that your five rights taken and then
have always five rights when they test it.
We forgot to took one of the red ones.
The right one.
Yeah.
And so it was not good.
No, not good.
What are you going to say to the man who is going to check your ticket?
Yeah. I don't know.
Yeah. Okay. How to fix it? The lock attack is quite easy to be fixed
and theoretically because you just need to check if the OTP bits is read-only or not.
If it's read-only, refuse to validate. But the main problem is the time attack because
I
Yeah. The point is there are two vulnerabilities we found, but we exploited just one because
we lack of time and of hardware as he explained before. So the time vulnerability would be
very easy to be exploited if we can actually decode the data.
Okay.
And what if, imagine, if you have a, if you know exactly how the data is encoded and where
it is exactly located inside your ticket, it will be really easy to exploit this because
if you have an NFC reader-writer, you can write the data each time you want. So you
can pick your ticket, put on your NFC phone and just stamp the actual data, so the actual
time.
If it is 5.15, then you put your ticket over your phone and then you can write 5.15 each
time you want. And so you can bypass the validating system and so you can still have
four rides left and you're just adjusting the time. And that will be really hard to
be fixed. Because all the data written inside the ticket, it will be really hard to fix.
It's not encrypted, hardware speaking. And so if you are able to decode this, it will
be very hard to fix it.
While the lock attack and so the exploit he was speaking about will be easy to be fixed.
Because if the stamp machine checks if the lock bit is on or off, and then with a feedback
way, the stamp machine can immediately know if you're on or off.
Now we are going to study and study more about those kinds of tickets and try to decode
data.
And if you would like to help us well, we are open minded.
And so we will give you the dumps and any help will be accepted very well.
That is the point.
So we restart the forum about the solution for the time attack.
But it is not available at any time.
should require a firmware upgrade that theoretically enables the software encryption on the ticket.
Because if you encrypt the ticket, you can't just timestamp your ticket with your phone.
But we spoke of that with our transport company.
They say, yeah, yeah, never did anything.
We are still waiting that our vulnerability is fixed on the subground.
We don't really know about that.
And okay.
We are working about a tool that should do it in everything automatically.
And actually it is written in Python and works on a Linux computer.
You need a...
.
An NFC reader.
Of course.
Just?
Yeah.
Okay.
That is the tool we use for decoding and writing the tickets.
It is an NFC reader.
You can find everywhere.
It is cheap.
Cheap for $10 on eBay, something like that.
And get free rides for your life.
We start selling these, if you want, at the door after the talk.
And we also wanted to buy Proxmark for further study.
But we really lack of money.
So we are also open to donation.
We accept Bitcoin.
Yeah, Bitcoin, of course.
I don't know.
And so I think that's it.
If you have questions about how we got into it, let us know in the comments.
But I think, I don't know if you got the meaning of what we were speaking about.
You know, it is a little bit difficult to speak in another language when you are outside.
But we tried.
And I think it has been a very good experience.
I think, I hope you enjoyed this talk.
And I hope, well, you got the clue.
For us, it was a very big, not surprise.
But we were very happy to find something like that and to have been accepted here.
To explain you what we found.
And if you want to test the vulnerability on your city, we are glad to receive feedback
and also invitation for lunch, dinner, a coffee, everything.
I think that speaking about things more in detail wouldn't be so appreciated by you.
I don't know if you will appreciate to speak about the very detail of those tickets.
But if you want, in the Q&A, you can ask us for further information and details about
those tickets.
So, I don't know.
Do you have any questions?
Or?
No.
I didn't find out what technology your mass transit system was using for its RFID system.
Yeah.
They advertising on their Web site.
Google.
That was convenient.
So, there's a similar system that's in use in the Bay Area, and so I'm especially interested
in what you were talking about with the time stamp, because the San Francisco system,
the way it works is you swipe to get on the bus the first time and you have 90 minutes.
Like in touring.
Okay.
So you have the same system there.
So, it just amounts to changing the time stamp on that and you change it to now and
you get 90 minutes from now to be able to ride and you can do that.
That's your free for life system.
Is that correct?
Yeah.
There's the work in progress because just a second.
Okay.
If you see, we are just guessing where the real time stamp is stored.
Because we didn't have an MPC phone.
So, going on the tram with a computer, five tickets and an MPC.
This is not so good.
But.
There's nothing suspicious about that at all.
It happens all the time.
In San Francisco, anyway, you see that stuff all the time.
Okay.
So, if you have an invitation for San Francisco.
I'd love to have you.
Okay.
Thank you.
Another one?
Another question?
Yeah.
Is this research, are you going to go to San Francisco?
Are you going to be arrested when you go back?
No.
No.
Wait.
We sent an email to the company explaining that we found this vulnerability.
Yesterday.
They are not geeks, so they can't reply very fast.
So, we are waiting now for a reply.
No.
We are publishing a white paper about that.
And we send it to them.
But I hope they won't fix on the subground.
Because I take subground very often.
Okay.
So, if you want to read our white paper, it will be available.
Yeah.
Yeah.
We will share with you.
Also the tool.
Yeah.
The tool.
It's very bad written, but works.
Yes.
Another question?
Anyone else?
No.
No.
